Remove token from client

main.go

@@ -1,8 +1,6 @@
 package main
 
 import (
-	"crypto/rand"
-	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"flag"
@@ -45,7 +43,6 @@ func main() {
 	errLog := log.New(os.Stderr, "ERROR: ", log.LstdFlags)
 
 	listen := flag.String("listen", "127.0.0.1:8765", "listen address (host:port), should be loopback")
-	token := flag.String("token", "", "shared secret token; if empty, requests are allowed without authentication")
 	var allowed allowList
 	flag.Var(&allowed, "allow", "allowed path prefix (repeatable); if none, any path is allowed")
 	flag.Parse()
@@ -54,15 +51,6 @@ func main() {
 		errLog.Fatalf("refusing to listen on non-loopback address: %s", *listen)
 	}
 
-	if strings.TrimSpace(*token) == "" {
-		generated, err := generateToken()
-		if err != nil {
-			errLog.Fatalf("failed to generate token: %v", err)
-		}
-		*token = generated
-		infoLog.Printf("generated token (set this in the plugin config): %s", *token)
-	}
-
 	mux := http.NewServeMux()
 
 	mux.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) {
@@ -100,16 +88,6 @@ func main() {
 
 		rawPath = req.Path
 
-		if !checkToken(r, *token) {
-			// Allow token to be supplied via query string for GET fallback.
-			qt := strings.TrimSpace(r.URL.Query().Get("token"))
-			if qt == "" || !subtleStringEqual(qt, strings.TrimSpace(*token)) {
-				errLog.Printf("/open unauthorized method=%s path=%q headerToken=%t queryToken=%t dur=%s", r.Method, rawPath, strings.TrimSpace(r.Header.Get("X-Luxtools-Token")) != "", qt != "", time.Since(start))
-				writeJSON(w, http.StatusUnauthorized, openResponse{OK: false, Message: "unauthorized"})
-				return
-			}
-		}
-
 		target, err := normalizePath(req.Path)
 		if err != nil {
 			errLog.Printf("/open bad-path method=%s path=%q err=%v dur=%s", r.Method, rawPath, err, time.Since(start))
@@ -165,14 +143,6 @@ func isLoopbackListenAddr(addr string) bool {
 	return ip.IsLoopback()
 }
 
-func generateToken() (string, error) {
-	b := make([]byte, 32)
-	if _, err := rand.Read(b); err != nil {
-		return "", err
-	}
-	return base64.RawURLEncoding.EncodeToString(b), nil
-}
-
 func withCORS(w http.ResponseWriter, r *http.Request) {
 	origin := r.Header.Get("Origin")
 	if origin != "" {
@@ -182,28 +152,7 @@ func withCORS(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 	}
 	w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS")
-	w.Header().Set("Access-Control-Allow-Headers", "Content-Type, X-Luxtools-Token")
-}
-
-func checkToken(r *http.Request, required string) bool {
-	required = strings.TrimSpace(required)
-	if required == "" {
-		return true
-	}
-	got := r.Header.Get("X-Luxtools-Token")
-	got = strings.TrimSpace(got)
-	return got != "" && subtleStringEqual(got, required)
-}
-
-func subtleStringEqual(a, b string) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	var v byte
-	for i := 0; i < len(a); i++ {
-		v |= a[i] ^ b[i]
-	}
-	return v == 0
+	w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
 }
 
 func normalizePath(input string) (string, error) {